Let’s imagine that you have a server that is directly unreachable from your ssh client. Let’s also imagine that you have some users that wish to contact this server but you can not give them a shell account on an intermediate machine which can see and be seen by both ends.
Tunnel 192.168.0.254 and 10.0.0.254
Generate the tunnel SSH key pair
# ssh-keygen -t dsa -b 1024 -C “Tunnel Key” -f /root/.ssh/tunnel.id_dsa
Add this to /etc/inittab
tun1:2345:respawn:/usr/bin/ssh -n -N -T -i /root/.ssh/tunnel.id_dsa -L 192.168.0.254:2222:127.0.0.1:22 email@example.com
Tell init to reload
# telinit q
If you check ‘ps -ef’ you will see an ssh session running from init.
# useradd -s /bin/false tunnel
# mkdir ~tunnel/.ssh
# vi ~tunnel/.ssh/authorized_keys
(add tunnel.id_dsa.pub from Tunnel:/root/.ssh/ here)
# chown tunnel:tunnel ~tunnel/.ssh ~tunnel/.ssh/authorized_keys
# chmod 700 ~tunnel/.ssh ~tunnel/.ssh/authorized_keys
ssh -p 2222 192.168.0.254
Season to taste.